Learning Password Best Practices Through In-Task Instruction

Abstract: Users often make security- and privacy-relevant decisions without a clear understanding of the rules that govern safe behavior. We introduce pedagogical friction, a design approach that introduces brief, instructional interactions at the moment of action. We evaluate this approach in the context of password creation, a task with clear, objective quality criteria and broad familiarity. We conducted a randomized repeated-measures study with 128 participants across four interface conditions that varied the depth and interactivity of guidance. We assessed three outcomes: (1) rule compliance in a subsequent password task without guidance, (2) accuracy on survey questions matched to the rules shown earlier, and (3) behavior-knowledge alignment, which captures whether participants who correctly followed a rule also recognized it on the survey. Across all guided conditions, participants corrected most rule violations in the follow-up task, achieved moderate accuracy on matched rule questions, and showed high behavior-knowledge alignment. These results support pedagogical friction as a lightweight and generalizable intervention for security- and privacy-critical interfaces.